Usually if its free you the product. They scraping data. Do we think a guest user profile with the ability to install new software locked down by the owner profile is enough to thwart any malware or data scraping?

There's one site I have in mind which even has an android app, which to me feels like free falling through a redflag tree and hitting every branch on the way down.

Let's say you accidentally click a banner and it tries to download something to your phone. But your permissions restrict downloads. And you don't have any accounts tied to that profile. How risky is it? Obviously its a non-zero risk. But what have peoples experiences been?

You don't need a profile for this purpose. Apps are always sandboxed and profiles do not provide a better sandbox. Their purpose is providing separate workspaces of apps, app data and profile data. Apps can't access each other's data and can't access profile data without your explicit consent.

Let's say you accidentally click a banner and it tries to download something to your phone. But your permissions restrict downloads. And you don't have any accounts tied to that profile. How risky is it? Obviously its a non-zero risk. But what have peoples experiences been?

The attack surface doesn't get larger based on your clicking on something specific and profiles are not really relevant to browser or OS exploits if that's your concern. Not clear what you mean by restricting downloads but this is just not how things work.

    GrapheneOS thanks for your help. I guess my fear is that by streaming a movie I'm somehow opening up a channel for the site to install some spyware or similar. You've mentioned thatbapps cannot communicate with one another without permissions, but the only permissions menus I've found are ones for sensors, network access etc. Is there a menu I'm missing which specifically blocks intents between specific apps?

    Thanks for your patience and input. Very much appreciated.